How ByBit Exchange Hacked & $1.5B Stolen? Understand Here

ByBit exchange has turned victim to, what seems to be one of the biggest crypto hacks so far, with the exchange losing over $1.5 billion of ETH on February 21.

While not affecting the whole platform, one of the exchange’s multi-signature cold wallets has been severely compromised with the hacker withdrawing billions of assets while managing to fool Bybit team members. 

The 2025 Bybit hack modus operandi is an eerie reminder of another infamous hack of WazirX exchange last year where hackers exploited its multisig cold wallet to steal $234.9 million.

As of now, Bybit has reassured users that their funds reserves are in the ratio 1:1. Yet several million users of Bybit exchange are currently in anxiety regarding the status of their funds.

Here is a detailed breakdown on how the Bybit hack occurred and what possible outcomes it could produce.

How did the ByBit hack happen? 

Similar to every major hacking incident in the crypto space, cold wallets and multisig wallets are at the center of this breach. ByBit and all other crypto exchanges use multisig wallets to add a layer of security in protecting exchange-held user funds. These specialized wallets require multiple approvals from different people to execute transactions. 

Musking

Outpassing this security feature, hackers employed a sophisticated technique called “Musking,” as defined by Bybit CEO Ben Zhou. Musking refers to a form of UI spoofing where the transaction details shown to signers are altered or masked and it processes malicious output on final execution. 

This tactic tricked Bybit’s multisig wallet signers into believing in a spoofed multisig dashboard, which hackers managed to update with a malicious smart contract. Here is the easy unfolding;

1. Fake Transaction Interface 

The hackers manipulated Bybit’s transaction interface – which was provided by the prominent security firm Safe – and replaced it with a legitimate looking transaction request.

2. Approval from Bybit multisig signers 

The Bybit team signed the transaction while believing that it could be a usual transfer of funds that exchange makes everyday. As the team has not shared full details, it could be assumed that the transaction was involving a smaller amount rather than the whole transfer of $1.3 billion of ETH, all at once.

3. Control of the wallet

Following the signature approval, hackers gained control over the exchange wallet and moved out funds immediately. It also needs to be noted that not all wallets were affected but the wallet assigned with that particular multisig was accessed only. 

4. Transfer of Funds 

Once hackers gained access to Bybit’s wallet, they begin moving funds to multiple unknown addresses. As per Arkham Intelligence, the hacker currently holds $1.3 billion of stolen ETH on 53 different wallets. 

What Security Expert Says?

While the incident looks quite simple on the front-end, it takes much effort from a security perspective to figure out the exact exploitation. One of the blockchain security expert team Dilation Effect says that only one signer was needed to be taken down in order to complete the attack because the attacker used a sophisticated social engineering technique.

Experts believe that by analyzing the on-chain transactions, we can see that the attacker executes the transfer function of a malicious contract through delegatecall. Furthermore, the transfer code uses the SSTORE instruction to modify the value of slot 0, thereby changing the implementation address of the Bybit cold wallet multi-signature contract to the attacker’s address.

Current Status of Stolen Funds

As the hacker has now swiftly transferred assets to various addresses, it has made it difficult to track funds. Unlike other hacks, this time the hacker has not yet sent funds to the crypto mixer Tornado Cash to mix up funds and erase traces on blockchain. 

This latest hack has once again raised security concerns within the crypto space. Despite the use of the latest and advanced security techniques, hackers seem to have been outsmarting everything. As the funds are still held in Ethereum wallets, it also raises optimism for potential white-hat recovery as hackers are not attempting to vanish funds completely out of eye sights.